158368 – Eager FTL failure for strict comparison of NaN with number check

Bug 158368 - Eager FTL failure for strict comparison of NaN with number check

Summary: Eager FTL failure for strict comparison of NaN with number check

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Benjamin Poulain

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-06-03 16:12 PDT by Joseph Pecoraro
Modified:	2016-06-03 20:27 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
[TEST] JS Reduction (553 bytes, application/x-javascript) 2016-06-03 16:12 PDT, Joseph Pecoraro	no flags	Details
Patch (4.09 KB, patch) 2016-06-03 18:55 PDT, Benjamin Poulain	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph Pecoraro 2016-06-03 16:12:00 PDT

Created attachment 280480 [details]
[TEST] JS Reduction

* SUMMARY
Eager FTL failure for strict comparison of NaN with number check

* TEST
function isNaNOnDouble(value)
{
    return (+value) !== value;
}
noInline(isNaNOnDouble);

function testIsNaNOnDoubles()
{
    var value = isNaNOnDouble(-0);
    if (value)
        throw "isNaNOnDouble(-0) = " + value;

    var value = isNaNOnDouble(NaN);
    if (!value)
        throw "isNaNOnDouble(NaN) = " + value;

    var value = isNaNOnDouble(Number.POSITIVE_INFINITY);
    if (value)
        throw "isNaNOnDouble(Number.POSITIVE_INFINITY) = " + value;
}
noInline(testIsNaNOnDoubles);

for (var i = 0; i < 1e6; ++i) {
    testIsNaNOnDoubles();
}


* STEPS TO REPRODUCE
1. $ DYLD_FRAMEWORK_PATH=$build/Release $build/Release/jsc --useFTLJIT=true --useConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --thresholdForJITAfterWarmUp=10 --thresholdForJITSoon=10 --thresholdForOptimizeAfterWarmUp=20 --thresholdForOptimizeAfterLongWarmUp=20 --thresholdForOptimizeSoon=20 --thresholdForFTLOptimizeAfterWarmUp=20 --thresholdForFTLOptimizeSoon=20 number-compare-strict.js

Exception: isNaNOnDouble(NaN) = false

* NOTES
- The issue only reproduces if --useConcurrentJIT=false

Comment 1 Benjamin Poulain 2016-06-03 17:44:08 PDT

I'll take it. Scary stuff.

Comment 2 Radar WebKit Bug Importer 2016-06-03 17:45:26 PDT

<rdar://problem/26634629>

Comment 3 Benjamin Poulain 2016-06-03 18:55:11 PDT

Created attachment 280501 [details]
Patch

Comment 4 WebKit Commit Bot 2016-06-03 20:27:35 PDT

Comment on attachment 280501 [details]
Patch

Clearing flags on attachment: 280501

Committed r201678: <http://trac.webkit.org/changeset/201678>

Comment 5 WebKit Commit Bot 2016-06-03 20:27:42 PDT

All reviewed patches have been landed.  Closing bug.